Microsoft is really making it hard not to distrust them, aren't they? We already talked about Mono and Moonlight this weekend, and now we're notified of something else. Apparently, the Microsoft .NET Framework 3.5 Service Pack 1, released earlier this year, installs a Firefox extension which could not be uninstalled easily (registry hacking was needed). To make matters worse, this extension came with a pretty big security hole (at least, that's what everyone says). A newer version of this extension has been pushed out in May, which can be uninstalled the proper way. As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions GUI.

Well even so, you should be able to remove it totally since why should it be there if you don't want it in the first place?

As for the title blurb of -"As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions GUI."

Ehh... the way I see it this has to do with file ownership and account privileges. Installing NET requires admin rights and as such any Firefox extensions installed by that NET package will be created by the admin account and thus the resulting files will be owned by the admin and not removeable by Firefox when running under a limited account.

Ehh... the way I see it this has to do with file ownership and account privileges. Installing NET requires admin rights and as such any Firefox extensions installed by that NET package will be created by the admin account and thus the resulting files will be owned by the admin and not removeable by Firefox when running under a limited account.

...in which case Firefox should notify you of this, and offer an elevation prompt - which it doesn't. Hence, a limitation in Firefox.

Ehh... the way I see it this has to do with file ownership and account privileges. Installing NET requires admin rights and as such any Firefox extensions installed by that NET package will be created by the admin account and thus the resulting files will be owned by the admin and not removeable by Firefox when running under a limited account.

...in which case Firefox should notify you of this, and offer an elevation prompt - which it doesn't. Hence, a limitation in Firefox.

And thus you enter into the realm of Kaiwai's argument as to why multi platform applications suck when there is an attempt to try and cater for every platform with no effort to customising each release for each platform - you have the worst of all worlds.

Don't distort what I say to make it fit your own agenda. Where do I say that pushing Firefox extensions without consent is "great"?

It's great that Microsoft is supporting Firefox users, but it does seem like they still have some learning to do here. I don't believe there's anything malicious going on here, but it still would be better to at least ask for the user's permission, but preferably, to just put the extension on Mozilla's website.

The real question is, why doesn't Firefox prevent this kind of behavior? I noticed that AVG was doing the same thing in order to install browser extensions (which slowed web surfing down to a crawl), which is one of the reasons I stopped using it.

The ONLY way you should be able to install extensions is through the browser itself. I'm not excusing the behavior of MS or anybody else who does this, but the fact that programs are able to do it in the first place is a security flaw in Firefox as far as I'm concerned.

How *can* Firefox prevent it? How can Firefox distinguish between an extension installed through the Firefox interface, and an extension installed through something writing the exact same content to disk?

How *can* Firefox prevent it? How can Firefox distinguish between an extension installed through the Firefox interface, and an extension installed through something writing the exact same content to disk?

I don't know? Perhaps it could have a list of installed extensions in a file that was encrypted, so that outside apps couldn't write to it? Of course, it might get corrupted, but hey... there are smarter people than me to figure these things out

I agree that it is admirable to see Microsoft recognising another major player in the browser market. A feature like this can be quite useful for deploying .Net software easily in much the same way as Java Web Start. It's unfortunate that the initial deployment was flawed, but at least this has been rectified now.

By the way—

I could not find any information on the security hole which would allow silent installs, so if anyone has any information on that, let us know.

Is it too much to ask to do some research first before submitting your stories? You shouldn't make claims like this and expect people to do the work to back up your statements for you.

http://www.ddj.com/security/196801171
ClickOnce deployment is designed from the ground up to be a limited user deployment mechanism, and it has various security features in place to ensure a trustworthy deployment.

While I think that installing the Add-On at the system level instead of the user level is a bad idea (That has since been addressed), the practice of shipping and installing extensions without consent is not one limited solely to Microsoft.

Firefox stores extensions in a user folder, a malicious user could do way more harm than simply installing a few extensions, if they wanted to.

right, so I might eat the all-users installation required. However it also changes the UserAgent to spam all the .net platforms installed for each request. There is absolutely NO reason to do this.
Next they'll be sending along your version of office and whatever they feel they need to send along

Microsoft ARE abusing their rights when installing .net 3.5 - so dont.

It is not unusual to have software that is impossible (or partly possible) to uninstall on Windows. Windows users should have got used to it by now.

After installing Microsoft Office, Outlook Express, NET framework itself, for example, the system is hardly possible or impossible to revert to previous state. You've got those, so called, "components" embedded, and can't get rid of them without reinstalling the whole system.